CVE-2025-23536

The Track Page Scroll WordPress plugin (version 1.0.2 and earlier) is vulnerable to a Reflected Cross-Site Scripting (XSS) attack. The root cause is Improper Neutralization of Input During Web Page Generation, meaning the plugin fails to sanitize or escape user-supplied input before including it in a web page response [1].

Exploitation requires user interaction. An attacker must trick a victim, such as an administrator or other site user with the required role privileges, into clicking a crafted malicious link or visiting a specially prepared page [1]. This vulnerability is considered moderately dangerous and is expected to be targeted in mass-exploit campaigns, as attackers often use reflected XSS to compromise thousands of sites regardless of their size or popularity [1].

If successfully exploited, the attacker can inject arbitrary malicious scripts, including redirects, advertisements, and other HTML payloads [1]. These scripts execute when other users (such as site visitors or administrators) access the affected page, leading to potential data theft, session hijacking, or defacement.

Mitigation is strongly advised. The vendor has not released an official patch as of the vulnerability disclosure; however, a mitigation rule is available through Patchstack to block attacks until an update can be safely applied. The recommended immediate action is to update the plugin if a patched version becomes available, or to contact a hosting provider or web developer for assistance [1].